RESOLUTION AGREEMENT
I.

Recitals

1. Parties. The Parties to this Resolution Agreement (“Agreement”) are:
a. The United States Department of Health and Human Services, Office for Civil
Rights (“HHS”), which enforces the Federal standards that govern the privacy
of individually identifiable health information (45 C.F.R. Part 160 and
Subparts A and E of Part 164, the “Privacy Rule”), the Federal standards that
govern the security of electronic individually identifiable health information
(45 C.F.R. Part 160 and Subparts A and C of Part 164, the “Security Rule”),
and the Federal standards for notification in the case of breach of unsecured
protected health information (45 C.F.R. Part 160 and Subparts A and D of 45
C.F.R. Part 164, the “Breach Notification Rule”). HHS has the authority to
conduct compliance reviews and investigations of complaints alleging
violations of the Privacy, Security, and Breach Notification Rules (the
“HIPAA Rules”) by covered entities and business associates, and covered
entities and business associates must cooperate with HHS compliance reviews
and investigations. See 45 C.F.R. §§ 160.306(c), 160.308, and 160.310(b).
b. Fresenius Medical Care Holdings, Inc. d/b/a Fresenius Medical Care North
America (“FMCNA”) on behalf of each of the following entities under
FMCNA’s common ownership and control, which meet the definition of
“covered entity” under 45 C.F.R. § 160.103 and therefore are required to comply
with the HIPAA Rules;
1. Bio-Medical Applications of Florida, Inc. d/b/a Fresenius Medical Care
Duval Facility (“FMC Duval”)
2. Bio-Medical Applications of Alabama, Inc. d/b/a Fresenius Medical Care
Magnolia Grove (“FMC Magnolia Grove”)
3. Renal Dimensions, LLC d/b/a Fresenius Medical Care Ak-Chin (“FMC
Ak-Chin”)
4. Fresenius Vascular Care Augusta, LLC (“FVC Augusta”)
5. WSKC Dialysis Services, Inc. d/b/a Fresenius Medical Care Blue Island
Dialysis (“FMC Blue Island”)
These covered entities are also individually and collectively referred to herein as “FMCNA
Covered Entities.”
HHS and FMCNA shall together be referred to herein as the “Parties.”
2. Factual Background and Covered Conduct
On January 21, 2013, FMCNA submitted five breach reports to HHS regarding breaches of its
unsecured electronic protected health information (“ePHI”). Each breach report pertained to a
separate and distinct incident involving loss or theft of ePHI of the FMCNA Covered Entities.
1

 FMCNA provides centralized corporate support to the FMCNA Covered Entities involved in the
breaches, including centrally storing its patients’ medical records, creating and disseminating
HIPAA policies and procedures, and investigating the circumstances of each breach reported to it
by the FMCNA Covered Entities.
a. FMC Duval Breach: On February 23, 2012, two desktop computers were stolen
during a break-in at FMC Duval, one of which contained the ePHI of 200 individuals,
including patient name, admission date, date of first dialysis, days and times of
treatments, date of birth, and social security number.
b. FMC Magnolia Grove Breach: On April 3, 2012, an unencrypted USB drive was
stolen from a workforce member’s car while it was parked in the lot at FMC
Magnolia Grove. The USB drive contained the ePHI of 245 individuals, including
patient name, address, date of birth, telephone number, insurance company, insurance
account number (a potential social security number derivative for some patients) and
the covered entity location where each patient was seen.
c. FMC Ak-Chin Breach: On June 18, 2012, the FMCNA compliance line received an
anonymous report that a hard drive from a desktop computer, which had been taken
out of service to be replaced, was missing from FMC Ak-Chin on April 6, 2012. The
hard drive contained the ePHI of 35 individuals, including name, date of birth, social
security number and zip code. The workforce member whose hard drive was missing
promptly notified the Area Manager; however, the Area Manager failed to report the
incident to the FMCNA Corporate Risk Management Department
d. FVC Augusta Breach: On June 16, 2012, a workforce member’s unencrypted laptop
was stolen from her car while parked overnight at her home, where it was stored in a
bag with a list of her passwords. The laptop contained the ePHI of 10 individuals,
including patient name, insurance account number (which could be a social security
number derivative) and other insurance information.
e. FMC Blue Island Breach: On or around June 17-18, 2012, three desktop computers
and one encrypted laptop were stolen from the Blue Island Facility location. One of
the desktop computers contained the ePHI of 31 individuals, including patient name,
dates of birth, address, telephone number, social security number or partial social
security number.
On July 15, 2013, OCR initiated a compliance review to investigate the five breach reports.
OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):
a. The FMCNA Covered Entities failed to conduct an accurate and thorough risk
analysis of potential risks and vulnerabilities to the confidentiality, integrity, and
availability of all of its ePHI. See 45 C.F.R. §164.308(a)(1)(ii)(A).

2

 b. The FMCNA Covered Entities impermissibly disclosed the ePHI of its patients by
providing unauthorized access for a purpose not permitted by the Privacy Rule.
See 45 C.F.R. § 164.502(a).
c. FMC Duval and FMC Blue Island failed to implement policies and procedures to
safeguard its facilities and the equipment therein from unauthorized access,
tampering, and theft. See 45 C.F.R. §164.310(a)(2)(ii).
d. FMC Magnolia Grove failed to implement policies and procedures that govern the
receipt and removal of hardware and electronic media that contain ePHI into and
out of a facility, and the movement of these items within the facility. See 45
C.F.R. § 164.310(d)(1).
e. FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to
encrypt and decrypt ePHI. See 45 C.F.R. §164.312(a)(2)(iv).
f. FMC Ak-Chin failed to implement policies and procedures to address security
incidents. See 45 C.F.R. § 164.308(6)(i).
g. FVC Augusta failed to implement policies and procedures that specify the proper
functions to be performed, the manner in which those functions are to be performed,
and the physical attributes of the surroundings of a specific workstation or class of
workstation that can access ePHI. See 45 C.F.R. § 164.310(b).
3. No Admission. This Agreement is not an admission of liability by FMCNA Covered
Entities.
4. No Concession. This Agreement is not a concession by HHS that FMCNA Covered
Entities are not in violation of the HIPAA Rules and not liable for civil money penalties.
5. Intention of Parties to Effect Resolution. This Agreement is intended to resolve OCR
Transaction Number: 01-13-160065 and any violations of the HIPAA Rules related to the
Covered Conduct specified in paragraph I.2 of this Agreement. In consideration of the
Parties’ interest in avoiding the uncertainty, burden, and expense of formal proceedings,
the Parties agree to resolve this matter according to the Terms and Conditions below.
II.

Terms and Conditions

6. Payment. HHS has agreed to accept, and FMCNA has agreed to pay HHS, the amount of
$3,500,000.00 (“Resolution Amount”). FMCNA agrees to pay the Resolution Amount
on the Effective Date of this Agreement as defined in paragraph II.14 by automated
clearing house transaction pursuant to written instructions to be provided by HHS.
7. Corrective Action Plan. FMCNA has entered into and agrees to comply with the
Corrective Action Plan (“CAP”), attached as Appendix A, which is incorporated into this
Agreement by reference. If FMCNA breaches the CAP, and fails to cure the breach as

3

 set forth in the CAP, then FMCNA will be in breach of this Agreement and HHS will not
be subject to the Release set forth in paragraph II.8 of this Agreement.
8. Release by HHS. In consideration of and conditioned upon FMCNA Covered Entities’
performance of its obligations under this Agreement, HHS releases FMCNA Covered
Entities from any actions it may have against FMCNA Covered Entities under the
HIPAA Rules arising out of or related to the Covered Conduct identified in paragraph I.2
of this Agreement. HHS does not release FMCNA Covered Entities from, nor waive any
rights, obligations, or causes of action other than those arising out of or related to the
Covered Conduct and referred to in this paragraph. This release does not extend to
actions that may be brought under section 1177 of the Social Security Act, 42 U.S.C. §
1320d-6.
9. Agreement by Released Parties. FMCNA Covered Entities shall not contest the validity
of its obligation to pay, nor the amount of, the Resolution Amount or any other
obligations agreed to under this Agreement. FMCNA Covered Entities waive all
procedural rights granted under Section 1128A of the Social Security Act (42 U.S.C. §
1320a- 7a) and 45 C.F.R. Part 160 Subpart E, and HHS claims collection regulations at
45 C.F.R. Part 30, including, but not limited to, notice, hearing, and appeal with respect
to the Resolution Amount.
10. Binding on Successors. This Agreement is binding on FMCNA Covered Entities and its
successors, heirs, transferees, and assigns.
11. Costs. Each Party to this Agreement shall bear its own legal and other costs incurred in
connection with this matter, including the preparation and performance of this
Agreement.
12. No Additional Releases. This Agreement is intended to be for the benefit of the Parties
only and by this instrument the Parties do not release any claims against or by any other
person or entity.
13. Effect of Agreement. This Agreement constitutes the complete agreement between the
Parties. All material representations, understandings, and promises of the Parties are
contained in this Agreement. Any modifications to this Agreement shall be set forth in
writing and signed by all Parties.
14. Execution of Agreement and Effective Date. The Agreement shall become effective (i.e.,
final and binding) upon the date of signing of this Agreement and the CAP by the last
signatory (Effective Date).
15. Tolling of Statute of Limitations. Pursuant to 42 U.S.C. § 1320a-7a(c)(1), a civil money
penalty (“CMP”) must be imposed within six years from the date of the occurrence of the
violation. To ensure that this six-year period does not expire during the term of this
Agreement, FMCNA Covered Entities agree that the time between the Effective Date of
this Agreement and the date the Agreement may be terminated by reason of FMCNA

4

 Covered Entities’ breach, plus one-year thereafter, will not be included in calculating the
six (6) year statute of limitations applicable to the violations which are the subject of this
Agreement. FMCNA Covered Entities waive and will not plead any statute of
limitations, laches, or similar defenses to any administrative action relating to the
Covered Conduct identified in paragraph I.2 that is filed by HHS within the time period
set forth above, except to the extent that such defenses would have been available had an
administrative action been filed on the Effective Date of this Agreement.
16. Disclosure. HHS places no restriction on the publication of the Agreement. In addition,
HHS may be required to disclose material related to this Agreement to any person upon
request consistent with the applicable provisions of the Freedom of Information Act, 5
U.S.C. § 552, and its implementing regulations, 45 C.F.R. Part 5.
17. Execution in Counterparts. This Agreement may be executed in counterparts, each of
which constitutes an original, and all of which shall constitute one and the same
agreement.
18. Authorizations. The individual(s) signing this Agreement on behalf of FMCNA Covered
Entities represents and warrants that they are authorized to execute this Agreement and
bind the FMCNA Covered Entities, as set forth in paragraph I.1.b. The individual(s)
signing this Agreement on behalf of HHS represent and warrant that they are signing this
Agreement in their official capacities and that they are authorized to execute this
Agreement.

For Fresenius Medical Care North America (FMCNA)
___________________________
Louise Bucolo
Sr. Director, Privacy & Information Security Officer
Fresenius Medical Care North America

________________________
Date

For Department of Health and Human Services
____________________________
Susan M. Pezzullo Rhodes
Regional Manager, New England Region
Office for Civil Rights

_____________
Date

5

 Appendix A
CORRECTIVE ACTION PLAN
BETWEEN THE
DEPARTMENT OF HEALTH AND HUMAN SERVICES
AND
FRESENIUS MEDICAL CARE NORTH AMERICA (FMCNA)
I.

Preamble

Fresenius Medical Care Holdings, Inc. d/b/a Fresenius Medical Care North America
(“FMCNA”), on behalf of the FMCNA Covered Entities set forth in paragraph 1.1.b of the
Resolution Agreement (the “Agreement”), hereby enters into this Corrective Action Plan
(“CAP”) with the United States Department of Health and Human Services, Office for Civil
Rights (“HHS”). Contemporaneously with this CAP, FMCNA, on behalf of the FMCNA
Covered Entities, is entering into the Agreement with HHS, and this CAP is incorporated by
reference into the Agreement as Appendix A. FMCNA enters into this CAP as part of
consideration for the release set forth in paragraph II.8 of the Agreement. Capitalized terms
without definition in this CAP shall have the same meaning assigned to them under the
Agreement.
II.

Contact Persons and Submissions
A.

Contact Persons

The contact person for the FMCNA Covered Entities regarding the implementation of
this CAP and for receipt and submission of notifications and reports (“FMCNA Contact”) is:
Ms. Louise Bucolo
Sr. Director, Privacy & Information Security Officer
Fresenius Medical Care North America
920 Winter Street
Waltham, MA 02451
HHS has identified the following individual as its authorized representative and contact
person with whom the FMCNA Covered Entities are to report information regarding the
implementation of this CAP:
Ms. Susan M. Pezzullo Rhodes, Regional Manager
Office for Civil Rights, New England Region
Department of Health and Human Services
JFK Federal Building, Room 1875

6

 Boston, MA 02203
Susan.Rhodes@hhs.gov
Telephone: 617-565-1347
Facsimile: 617-565-3809
The FMCNA Covered Entities and HHS agree to promptly notify each other of any changes in
the contact person or the other information provided above.
B.

III.

Proof of Submissions. Unless otherwise specified, all notifications and reports
required by this CAP may be made by any means, including certified mail,
overnight mail, electronic mail, or hand delivery, provided that there is proof that
such notification was received. For purposes of this requirement, internal facsimile
confirmation sheets do not constitute proof of receipt.

Effective Date and Term of CAP

The Effective Date for this CAP shall be calculated in accordance with paragraph II.14 of
the Agreement (“Effective Date”). The period for compliance (“Compliance Term”) with the
obligations assumed by each of the FMCNA Covered Entities under this CAP shall begin on the
Effective Date of this CAP and end two (2) years from the Effective Date, unless, before the
expiration of that two (2)-year period, HHS issues a written notice of intent to proceed with an
imposition of a civil money penalty (“CMP”) against any FMCNA Covered Entit(y)(ies)
pursuant to 45 C.F.R. Part 160 and section VIII.D of this CAP. The Compliance Term shall only
end with respect to the FMCNA Covered Entit(y)(ies) to which HHS has issued such notice.
After the Compliance Term ends, the FMCNA Covered Entities shall still be obligated to: (a)
submit the final Annual Report as required by section VI; and (b) comply with the document
retention requirement in section VII. Nothing in this CAP is intended to eliminate or modify
FMCNA's obligation to comply with the document retention requirements in 45 C.F.R. §§
164.316(b) and 164.530(j).
IV.

Time

In computing any period of time prescribed or allowed by this CAP, all days referred to
shall be calendar days. The day of the act, event, or default from which the designated period of
time begins to run shall not be included. The last day of the period so computed shall be included,
unless it is a Saturday, a Sunday, or a legal holiday, in which event the period runs until the end of
the next day which is not one of the aforementioned days.

V.

Corrective Action Obligations
The FMCNA Covered Entities agree to the following:
A.

Conduct Risk Analysis
1.

The FMCNA Covered Entities shall conduct an accurate and
thorough assessment of the potential security risks and
7

 vulnerabilities to the confidentiality, integrity, and availability of the
FMCNA Covered Entities’ electronic protected health information
(“ePHI”) (“Risk Analysis”). The Risk Analysis shall incorporate the
FMCNA Covered Entities’ facilities, whether owned or rented, and
evaluate the risks to the ePHI on their electronic equipment, data
systems, and applications controlled, administered or owned by the
FMCNA Covered Entities, that contain, store, transmit, or receive
ePHI. Prior to conducting the Risk Analysis, the FMCNA Covered
Entities shall develop a complete inventory of all of their
facilities, categories of electronic equipment, data systems, and
applications that contain or store ePHI, which will then be
incorporated into their Risk Analysis.

B.

2.

Within fourteen (14) days of the Effective Date, the FMCNA Covered
Entities shall submit to HHS the scope and methodology by which
they propose to conduct the Risk Analysis described in paragraph
V.A.1. HHS shall notify the FMCNA Covered Entities whether the
proposed scope and methodology is or is not consistent with 45
C.F.R. § 164.308 (a)(1)(ii)(A).

3.

The FMCNA Covered Entities shall provide the Risk Analysis,
consistent with paragraph V.A.l , to HHS within one hundred eighty
(180) days of HHS’ approval of the FMCNA Covered Entities’
methodology described in paragraph V.A.2 for HHS’ review.
Within ninety (90) days of its receipt of the FMCNA Covered
Entities’ Risk Analysis, HHS will inform FMCNA Contact in
writing as to whether HHS approves of the Risk Analysis or, if
necessary to ensure compliance with 45 C.F.R. § 164.308(a)(1)(ii)(A),
requires revisions to the Risk Analysis. If HHS requires revisions to
the Risk Analysis, HHS shall provide FMCNA Contact with a
detailed, written explanation of such required revisions and with
comments and recommendations in order for the FMCNA Covered
Entities to be able to prepare a revised Risk Analysis. Upon
receiving notice of required revisions to the Risk Analysis from HHS
and a description of any required changes to the Risk Analysis, the
FMCNA Covered Entities shall have sixty (60) days in which to
revise their Risk Analysis accordingly and submit the revised Risk
Analysis to HHS for review and approval. This submission and
review process shall continue until HHS approves the Risk
Analysis.

Develop and Implement a Risk Management Plan
1.

The FMCNA Covered Entities shall develop a written risk
management plan or plans sufficient to address and mitigate any
security risks and vulnerabilities identified in the Risk Analysis
described in section V.A above (“Risk Management Plan”). The
8

 Risk Management Plan shall include a process and timeline for the
FMCNA Covered Entities’ implementation, evaluation, and revision
of their risk remediation activities.

C.

2.

Within ninety (90) days of HHS’ final approval of the Risk
Analysis described in section V.A above, the FMCNA Covered
Entities shall submit their Risk Management Plan to HHS for HHS’
review. Within sixty (60) days of its receipt of the Risk
Management Plan, HHS will inform FMCNA Contact in writing as
to whether HHS approves of the Risk Management Plan or, if
necessary to ensure compliance with 45 C.F.R. § 164.308(a)(1)(ii)(B),
requires revisions to the Risk Management Plan. If HHS requires
revisions to the Risk Management Plan, HHS shall provide FMCNA
Contact with detailed comments and recommendations in order for
the FMCNA Covered Entities to be able to prepare a revised Risk
Management Plan. Upon receiving notice of required revisions to
the Risk Management Plan from HHS and a description of any
required changes to the Risk Management Plan, the FMCNA
Covered Entities shall have sixty (60) days in which to revise their
Risk Management Plan accordingly, and submit the revised Risk
Management Plan to HHS for review and approval. This
submission and review process shall continue until HHS approves
the Risk Management Plan.

3.

Within sixty (60) days of HHS’ approval of the Risk Management
Plan, the FMCNA Covered Entities shall begin implementation of
the Risk Management Plan and distribute the plan to workforce
members involved with implementation of the plan.

Implement Process for Evaluating Environmental and Operational Changes
1.

The FMCNA Covered Entities shall develop a written process(es) to
regularly evaluate any environmental or operational changes that
affect the security of ePHI in the FMCNA Covered Entities’
possession or control (“Evaluation Process”).

2.

Within ninety (90) days of HHS’ final approval of the Risk
Analysis described in section V.A above, the FMCNA Covered
Entities shall submit the Evaluation Process to HHS for HHS’
review. Within sixty (60) days of its receipt of the FMCNA
Covered Entities’ proposed Evaluation Process, HHS will inform
FMCNA Contact in writing as to whether HHS approves of the
Evaluation Process or, if necessary to ensure compliance with 45
C.F.R. § 164.308(a)(8), requires revisions to the Evaluation Process.
If HHS requires revisions to the Evaluation Process, HHS shall
provide FMCNA Contact with detailed comments and
recommendations in order for the FMCNA Covered Entities to be
9

 able to prepare a revised Evaluation Process. Upon receiving notice
of required revisions from HHS and a listing or description of any
required revisions to such Process, the FMCNA Covered Entities
shall have thirty (30) days in which to revise the Evaluation Process
accordingly and submit the revised Evaluation Process to HHS for
review and approval. This submission and review process shall
continue until HHS approves the Evaluation Process.
3.

D.

Within sixty (60) days of HHS’ approval of the Evaluation Process,
the FMCNA Covered Entities shall implement the Evaluation
Process and distribute copies of it to workforce members of the
FMCNA Covered Entities involved with performing such
evaluations.

Develop Encryption Report
1.

Within one hundred eighty (180) days of HHS’ final approval of the
Risk Management Plan required in section V.B, the FMCNA
Covered Entities shall develop, and FMCNA Contact shall submit to
HHS, a written report or reports regarding the status of the FMCNA
Covered Entities’ implementation of encryption (“Encryption
Report”), which shall consist of:
a.

The total number of all FMCNA Covered Entities’
devices and equipment including, but not limited to,
desktop computers, laptop computers, tablets, mobile
phones, USB drives, and medical equipment, that may be
used to access, store, download, or transmit the FMCNA
Covered Entities’ ePHI as of the date of the Encryption
Report (“Covered Electronic Media”).

b.

The total number of Covered Electronic Media that are
encrypted as of the date of the Encryption Report, as well
as evidence of such encryption.

10

 c.

2.

E.

For any Covered Electronic Media that are not encrypted
as of the date of the Encryption Report, either: (i) a
description of the FMCNA Covered Entities’ plan to
encrypt such Covered Electronic Media and an estimate
of when such Covered Electronic Media will be
encrypted; or (ii) a description of why encrypting such
Covered Electronic Media is not reasonable and
appropriate and a description of the compensating
alternative measures implemented to safeguard the ePHI
accessed, stored, downloaded or transmitted by such
Covered Electronic Media.

The Covered Electronic Media included in the Encryption Report
may be described and organized by category. Further, for each
category of Covered Electronic Media, the Encryption Report
shall document the encryption solution used (e.g., native or third
party encryption product) including the version number of the
encryption solution as well as the encryption algorithms/ciphers
the encryption solution is configured to use. The evidence of
encryption required under paragraph V.D.1.b may be provided in
the form of a screenshot that demonstrates encryption for a
particular category of Covered Electronic Media, a copy of the
license for the encryption software deployed on a particular
category of Covered Electronic Media, or other reasonable means
of demonstrating such Covered Electronic Media are encrypted.

Review and Revise Policies and Procedures on Device and Media Controls
1.

The FMCNA Covered Entities shall review, and to the extent
necessary, revise their policies and procedures related to the receipt,
removal and movement of Covered Electronic Media (the “Device
and Media Controls Policies and Procedures”). The policies shall
identify criteria for the use of such Covered Electronic Media and
procedures for obtaining authorization for the use of Covered
Electronic Media that utilize the FMCNA Covered Entities’ ePHI
systems.

2.

Within ninety (90) days of HHS’ final approval of the Risk
Analysis described in section V.A above, the FMCNA Covered
Entities shall submit the Device and Media Controls Policies and
Procedures required by paragraph V.E.1 to HHS for HHS’ review.
Within sixty (60) days of its receipt of the FMCNA Covered
Entities’ Device and Media Controls Policies and Procedures, HHS
will inform FMCNA Contact in writing as to whether HHS
approves of the Device and Media Controls Policies and Procedures
or, if necessary to ensure compliance with 45 C.F.R. § 164.310(d)(1),
requires revisions to the Device and Media Controls Policies and
11

 Procedures. If HHS requires revisions to the Device and Media
Controls Policies and Procedures, HHS shall provide FMCNA
Contact with detailed, written requirements and recommendations in
order for the FMCNA Covered Entities to be able to prepare
acceptable, revised Device and Media Controls Policies and
Procedures. Upon receiving any notice of required revisions to the
Device and Media Controls Policies and Procedures from HHS, the
FMCNA Covered Entities shall have thirty (30) days in which to
revise the Device and Media Controls Policies and Procedures
accordingly and submit the revised Device and Media Controls
Policies and Procedures to HHS for review and approval. This
submission and review process shall continue until HHS approves
the Device and Media Controls Policies and Procedures.
3.

F.

Within thirty (30) days of HHS’ approval of the Device and Media
Controls Policies and Procedures, the FMCNA Covered Entities
shall finalize and officially adopt the Device and Media Controls
Policies and Procedures in accordance with their applicable
administrative procedures, and provide evidence of implementation
of such policies and procedures to HHS.

Review and Revise Policies and Procedures on Facility Access Controls
1.

The FMCNA Covered Entities shall review, and to the extent
necessary, revise their policies and procedures to limit physical
access to all of their electronic information systems and the facilities
in which they are housed, while ensuring that properly authorized
access is allowed (“Physical Access Policies and Procedures”). The
FMCNA Covered Entities shall develop a facility security plan that
defines and documents the physical security controls to safeguard
the facility or facilities and the equipment therein from unauthorized
physical access, tampering, and theft (“Physical Security Plan”).

2.

Within ninety (90) days of HHS’ final approval of the Risk
Analysis described in section V.A above, the FMCNA Covered
Entities shall submit the Physical Access Policies and Procedures,
including the Physical Security Plan(s), required by paragraph V.F.1
to HHS for HHS’ review. Within sixty (60) days of its receipt of
the FMCNA Covered Entities’ Physical Access Policies and
Procedures, HHS will inform FMCNA Contact in writing as to
whether HHS approves of the Physical Access Policies and
Procedures or, if necessary to ensure compliance with 45 C.F.R. §
164.310(a)(1), requires revisions to the Physical Access Policies and
Procedures. If HHS requires revisions to the Physical Access Policies
and Procedures, HHS shall provide FMCNA Contact with detailed,
written comments and recommendations in order for the FMCNA
Covered Entities to be able to prepare acceptable, revised Physical
12

 Access Policies and Procedures. Upon receiving any such notice of
required revisions from HHS, the FMCNA Covered Entities shall
have thirty (30) days in which to revise the Physical Access Policies
and Procedures accordingly, and submit the revised Physical Access
Policies and Procedures to HHS for review and approval. This
submission and review process shall continue until HHS approves
the Physical Access Policies and Procedures.
3.

G.

Within thirty (30) days of HHS’ approval of the Physical Access
Policies and Procedures, the FMCNA Covered Entities shall finalize
and officially adopt the Physical Access Policies and Procedures in
accordance with their applicable administrative procedures, and
provide evidence of implementation of such Physical Access Policies
and Procedures to HHS.

Develop an Enhanced Privacy and Security Awareness Training Program
1.

The FMCNA Covered Entities shall augment their existing
mandatory Health Information Privacy and Security Awareness
Training Program (“Training Program”) for all the FMCNA
Covered Entities’ workforce members who have access to PHI,
including ePHI. The Training Program shall include general
instruction on workforce members’ obligation to comply with the
FMCNA Covered Entities’ policies and procedures related to the
HIPAA Rules. The Training Program shall also include training on
the new or revised Evaluation Process and all of the new or revised
Device and Media Controls Policies and Procedures and Physical
Access Policies and Procedures (collectively, the “Policies and
Procedures”), to the extent such new or revised Policies and
Procedures are developed and existing policies and procedures are
revised.

2.

Within ninety (90) days of HHS’ final approval of the Risk
Management Plan required in section V.B above, the FMCNA
Covered Entities shall submit the proposed training materials for
HHS’ review. Within sixty (60) days of its receipt of the FMCNA
Covered Entities' training materials, HHS will inform FMCNA
Contact in writing as to whether HHS approves of the proposed
training materials or, if necessary to ensure compliance with 45
C.F.R. §§ 164.308(a)(5)(i) or 164.530(b), requires revisions to the
proposed training materials. If HHS requires revisions to the
proposed training materials, HHS shall provide FMCNA Contact
with detailed, written comments and recommendations in order for
the FMCNA Covered Entities to be able to prepare acceptable,
revised training materials. Upon receiving notice of required
revisions to their proposed training materials from HHS, the
FMCNA Covered Entities shall have thirty (30) days in which to
13

 revise the training materials accordingly, and submit the revised
training materials to HHS for review and approval. This submission
and review process shall continue until HHS approves the training
materials.

VI.

3.

Within sixty (60) days of HHS’ approval of the FMCNA Covered
Entities’ training materials, the FMCNA Covered Entities shall
provide training on the approved Policies and Procedures to
workforce members of the FMCNA Covered Entities, as necessary
and appropriate for such workforce members to carry out their
functions. In addition, the FMCNA Covered Entities shall train
workforce members who return to the workforce after this sixty (60)
day period and any workforce members who commence working
for the FMCNA Covered Entities, or that are given access to PHI,
including ePHI, after the development of the Training Program,
within forty-five (45) days of the commencement of their
employment or affiliation with the FMCNA Covered Entities or
return to the workforce, as applicable.

4.

Each individual who is required to attend training shall certify, in
writing or in electronic form that he or she has received the required
training and the date the training was completed. The FMCNA
Covered Entities shall retain copies of such certifications for no less
than six (6) years following the date training was provided.

5.

The FMCNA Covered Entities shall review the Training Program
annually, and, where appropriate, update the Training Program to
reflect any HIPAA compliance related changes in: (i) the FMCNA
Covered Entities’ policies and procedures; (ii) applicable federal
law; and/or (iii) any material compliance issue(s) discovered during
audits or reviews conducted by the FMCNA Covered Entities or their
designee(s), or HHS.

6.

The FMCNA Covered Entities shall provide training on the policies
and procedures related to the HIPAA Rules to active workforce
members of the FMCNA Covered Entities, as necessary and
appropriate for such workforce members to carry out their functions,
annually.

Training Report and Annual Reports
A.

Training Report. Within one hundred and twenty (120) days after the receipt of
HHS’ approval of the Training Program required by section V.G, the FMCNA
Covered Entities shall submit a written report to HHS known as the “Training
Report,” which shall consist of:

14

 B.

1.

A copy of all training materials used for the training required by
this CAP, a description of the training including a summary of the
topics covered, the length of the session(s) and a schedule of when
the training session(s) were held;

2.

An attestation signed by an officer or director of FMCNA that all
applicable members of the workforce of the FMCNA Covered
Entities have completed the initial training required by section V.G
and have executed the training certifications required by paragraph
V.G.4; and

3.

An attestation signed by an officer or director of FMCNA that
he/she has reviewed the Training Report, made a reasonable inquiry
regarding its content and believes that, upon such inquiry, the
information is accurate and truthful.

Annual Reports. The one (1) year period after the Effective Date and each
subsequent one (1) year period during the course of the Compliance Term shall
be known as a “Reporting Period.” Within sixty (60) days after the close of
each corresponding Reporting Period, the FMCNA Covered Entities shall
submit a report or reports to HHS regarding the FMCNA Covered Entities’
compliance with this CAP for each corresponding Reporting Period (“Annual
Report”). The Annual Report shall include:
1.

A copy of the schedule, topic outline, and training materials for the
training programs provided during the Reporting Period that is the
subject of the Annual Report;

2.

An attestation signed by an officer or director of FMCNA attesting
that the FMCNA Covered Entities obtain and maintain written or
electronic training certifications from all persons who are required
to attend training under this CAP;

3.

An attestation signed by an officer or director of FMCNA attesting
that any revision(s) to the Policies and Procedures required by
section V were finalized and adopted within thirty (30) days of
HHS’ approval of the revision(s), which shall include a statement
affirming that the FMCNA Covered Entities distributed the revised
Policies and Procedures to all appropriate members of the FMCNA
Covered Entities’ workforce within sixty (60) days of HHS’
approval of the revision(s); and

4.

A summary of Reportable Events, if any, the status of any corrective
and preventative action(s) relating to all such Reportable Events, or
an attestation signed by an officer or director of FMCNA stating that
no Reportable Events occurred during the Compliance Term.

15

 VII.

Reportable Events
A.

Reportable Events. After the implementation of the Policies and Procedures in
accordance with paragraphs V.E.3 and V.F.3, the FMCNA Covered Entities shall,
during the remainder of the Compliance Term, upon receiving information that a
workforce member may have failed to comply with such policies and procedures,
promptly investigate the matter. If the FMCNA Covered Entities, after review
and investigation, determines that a member of its workforce has failed to comply
with such policies and procedures, the FMCNA Contact shall report such event(s)
to HHS as provided in section VI.B.4. Such violations shall be known as
“Reportable Events.” The report to HHS shall include the following:
1.

A complete description of the event, including the relevant facts, the
persons involved, and the provision(s) of the Policies and Procedures
implicated; and

2.

A description of the actions taken and any further steps FMCNA and
the FMCNA Covered Entities’ plan to take to address the matter to
mitigate any harm, and to prevent it from recurring, including
application of appropriate sanctions against workforce members who
failed to comply with the Policies and Procedures.

VIII. Document Retention
The FMCNA Covered Entities shall maintain for inspection and copying, and shall
provide to HHS, upon request, all documents and records relating to compliance with this
CAP for six (6) years from the Effective Date. Nothing in this Agreement shall be construed to
constitute a waiver by FMCNA or any of the FMCNA Covered Entities of any applicable legal
privilege against disclosure, including the attorney-client privilege and the work product
doctrine. If HHS requests access to information or documentation which FMCNA or any of the
FMCNA Covered Entities seeks to withhold on the basis of an applicable legal privilege against
disclosure, including the attorney-client privilege or the attorney work product doctrine, FMCNA
shall provide HHS with a description of such information and the type of privilege asserted.
IX.

Breach Provisions

The FMCNA Covered Entities are expected to fully and timely comply with all
provisions contained in this CAP.
A.

Timely Written Requests for Extensions. The FMCNA Covered Entities
may, in advance of any due date set forth in this CAP, submit a timely
written request for an extension of time to perform any act required by this
CAP. A “timely written request” is defined as a request in writing received
by HHS at least five (5) days prior to the date such an act is required or due
to be performed. This requirement may be waived by HHS only.

B.

Notice of Breach of this CAP and Intent to Impose CMP. The Parties agree
16

 that a breach of this CAP by a FMCNA Covered Entity constitutes a breach
of the Agreement by that FMCNA Covered Entity. Upon a determination by
HHS that any FMCNA Covered Entity has breached this CAP, HHS may notify
FMCNA Contact of: (1) the FMCNA Covered Entity’s breach; and (2) HHS’
intent to impose a CMP pursuant to 45 C.F.R. Part 160, for the Covered
Conduct set forth in paragraph I.2 of the Agreement and any other conduct that
constitutes a violation of the HIPAA Privacy, Security, or Breach Notification
Rules (“Notice of Breach and Intent to Impose CMP”).
C.

D.

FMCNA Covered Entities’ Response. Any FMCNA Covered Entity named in
a Notice of Breach and Intent to Impose CMP shall have thirty (30) days from
the date of receipt of the Notice of Breach and Intent to Impose CMP to
demonstrate to HHS’ satisfaction that:
1.

The FMCNA Covered Entity is in compliance with the obligations
of the CAP that HHS cited as the basis for the breach;

2.

The alleged breach has been cured; or

3.

The alleged breach cannot be cured within the thirty (30) day
period, but that the FMCNA Covered Entity: (a) has begun to take
action to cure the breach; (b) is pursuing such action with due
diligence; and (c) has provided to HHS a reasonable timetable for
curing the breach.

Imposition of CMP. If at the conclusion of the thirty (30) day period, the
FMCNA Covered Entity fails to meet the requirements of section VIII.C of this
CAP to HHS’ satisfaction, HHS may proceed with the imposition of a CMP
against that FMCNA Covered Entity pursuant to the rights and obligations set
forth in 45 C.F.R. Part 160 for any violations of the HIPAA Rules applicable to
the Covered Conduct set forth in paragraph I.2 of the Agreement and for any
other act or failure to act that constitutes a violation of the HIPAA Rules. HHS
shall notify FMCNA Contact in writing of its determination to proceed with the
imposition of a CMP pursuant to 45 C.F.R. §§ 160.312(a)(3)(i) and (ii).

17

 For Fresenius Medical Care North America (FMCNA)

___________________________
Louise Bucolo
Sr. Director, Privacy & Information Security Officer
Fresenius Medical Care North America

________________________
Date

For Department of Health and Human Services
___________________________
Susan M. Pezzullo Rhodes
Regional Manager, New England Region
Office for Civil Rights

________________________
Date

18